Confidentiality: disclosing information for employment, insurance and similar purposes
In our guidance Confidentiality: good practice in handling patient information we say:
115. Third parties, such as a patient’s insurer or employer, or a government department, or an agency assessing a claimant’s entitlement to benefits, may ask you for personal information about a patient, either following an examination or from existing records. In these cases, you should:
a. be satisfied that the patient has sufficient information about the scope, purpose and likely consequences of the examination and disclosure, and the fact that relevant information cannot be concealed or withheld
b. obtain or have seen written consent to the disclosure from the patient or a person properly authorised to act on the patient’s behalf. You may accept an assurance from an officer of a government department or agency, or a registered health professional acting on their behalf, that the patient or a person properly authorised to act on their behalf has consented
c. only disclose factual information you can substantiate, presented in an unbiased manner, which is relevant to the request. You should not usually disclose the whole record, although it may be relevant to some benefits paid by government departments and to other assessments of a patient’s entitlement to pensions or other health related benefits
d. offer to show your patient, or give them a copy of, any report you write about them for employment or insurance purposes before it is sent, unless:
i. they have already indicated they do not wish to see it
ii. disclosure would be likely to cause serious harm to the patient or anyone else
iii. disclosure would be likely to reveal information about another person who does not consent.1
About this guidance
One of the core duties of a doctor is to make the care of your patient2 your first concern. There are, however, many circumstances in which you might be asked to disclose information from existing records or after examining a patient, and in which you face dual obligations. By this we mean that you have obligations both to the patient and to the person or organisation that has requested the information.
The term ‘patient’ in this guidance refers to employees, clients, claimants, athletes and anyone else whose personal information you hold or have access to, whether or not you care for them in a traditional therapeutic relationship.
This explanatory guidance sets out how the general principles in our guidance Confidentiality apply when patient information is being disclosed in these circumstances. The guidance applies to disclosure of information obtained directly from a patient, or from a patient’s medical record, or from another health professional. It does not apply if your opinions are based solely on information provided by the person or body that is commissioning the opinion.
When do dual obligations arise?
Usually, dual obligations arise when a doctor works for, is contracted by, or otherwise provides services to:
- a patient’s employer (as an occupational health doctor)
- an insurance company
- an agency assessing a claimant’s entitlement to benefits
- the police (as a police surgeon)
- the armed forces
- the prison service
- a sports team or association.3
Doctors might provide their services to professional sports clubs (where the dual obligation is to both the patient and the club, which is very similar to the dual obligation of an occupational health doctor) or to associations (where the dual obligation is both to the patient and to a governing body or team of selectors).
Alternatively, a person or organisation you have previously had no direct relationship with, such as your patient’s employer or insurance company, might ask you to provide a medical report or information about a patient. You might be offered payment for your own or your staff’s time and effort, giving rise to an obligation in addition to the one you have to your patient.
How much information should you disclose?
You should only disclose information that is relevant to the request, which means you should not usually disclose a patient’s whole record.4 There are two exceptions to this general rule:
- Benefit claims: the patient’s whole record may be relevant to some benefits paid by government departments or agencies.5
- Legal processes: a solicitor may need to see their client’s whole record to assess which parts are relevant, for example, to personal injury claims. If the claim goes ahead, the person against whom the claim is made may ask for copies of important documents, which could include records containing the patient’s medical history. Under court rules in England and Wales, they can see the patient’s whole record and the solicitor should explain this to the patient. In Northern Ireland and Scotland, you should disclose your patient’s record in accordance with their wishes or as ordered by a court.6
Disclosure of the whole record may breach the principles of the data protection law, as the full record may contain information that is excessive and not relevant for the purpose. The Information Commissioner’s Office (ICO) has advised that it is not appropriate for insurance companies to obtain medical records using patients’ subject access requests. The Access to Medical Reports Act 1988 gives insurance companies a clear and established legal route to access medical information, while safeguarding patients’ rights.
The Law Society and the British Medical Association jointly publish model consent forms authorising the release of health records to solicitors under the data protection law. The forms include notes for clients, solicitors and medical records controllers.
When writing a report7 you must:
- make sure it is not false or misleading – you must take reasonable steps to check the information in the report is correct, and you must not deliberately leave out relevant information
- restrict the report to areas in which you have direct experience or relevant knowledge
- make sure any opinion you include is balanced, and be able to state the facts or assumptions on which it is based.
Disclosing a report about a patient
You do not need to ask for separate consent to release a report following an examination as long as you are satisfied that the patient has given informed consent both for the examination and for the release of any subsequent reports (see paragraph 115 of Confidentiality, which is reproduced at the top of this explanatory guidance).
Third parties, such as a patient’s insurer or employer, or a government department, or an agency assessing a claimant’s entitlement to benefits, may ask you for personal information about a patient, either following an examination or from existing records. In these cases, you should:
- be satisfied that the patient has sufficient information about the scope, purpose and likely consequences of the examination and disclosure, and the fact that relevant information cannot be concealed or withheld
- obtain or have seen written consent to the disclosure from the patient or a person properly authorised to act on the patient’s behalf. You may accept an assurance from an officer of a government department or agency, or a registered health professional acting on their behalf, that the patient or a person properly authorised to act on their behalf has consented
- only disclose factual information you can substantiate, presented in an unbiased manner, which is relevant to the request. You should not usually disclose the whole record,43 although it may be relevant to some benefits paid by government departments and to other assessments of a patient’s entitlement to pensions or other health-related benefits
- offer to show your patient, or give them a copy of, any report you write about them for employment or insurance purposes before it is sent, unless:
- they have already indicated they do not wish to see it
- disclosure would be likely to cause serious harm to the patient or anyone else
- disclosure would be likely to reveal information about another person who does not consent.44, 45
You should, however, usually offer to show your patient or give them a copy of any report you write about them for employment or insurance purposes before it is sent.8
Under the Access to Medical Reports Act 1988, patients are entitled to see a report that has been written about them for employment or insurance purposes by a doctor who is or has been responsible for the clinical care of the individual before it is sent, unless exceptions apply. Patients have the right to ask the doctor to amend any part of the report that the patient considers to be incorrect or misleading, and to attach their disagreement to the report, or to withdraw their consent for the release of the information. These provisions do not apply to reports for benefits purposes. If the patient has no legal right to see the report before it is sent, you should follow the guidance in paragraph 115(d) of Confidentiality, which is reproduced at the start of this explanatory guidance. If any of the exceptions set out in paragraph 115(d) apply, you should still disclose as much of the report as you can.
If a patient asks you to amend a report, you should correct any errors of fact and any opinion that is based on errors of fact. You should not remove information, opinion or advice if you believe the report would be false or misleading as a result.
If a patient withdraws consent for the report to be disclosed, it may be appropriate for you to tell the patient that their decision may lead to adverse consequences for them. For example, the absence of occupational health information could disadvantage the patient in negotiations with their employer. You must, however, abide by the patient’s wishes unless the disclosure is required by law (see paragraph 14) or can be justified in the public interest (see paragraph 15).
If a patient withdraws consent for a report to be disclosed, or fails to attend an appointment, you can let the report commissioner know but you should not disclose any further information.
When you are satisfied that a report should be disclosed, you should complete and send the report without unreasonable delay.
Disclosures required by law
You must disclose information if it is required by law or by the courts. If a disclosure is required by law, you should follow the guidance at paragraphs 87–94 of Confidentiality. If you are not sure whether a disclosure is required by law, you should ask the person or body requesting the information to identify the legal basis, or seek independent legal advice.
There are a large number of laws that require disclosure of patient information – for purposes as diverse as the notification of infectious diseases, the provision of health and social care services, the prevention of terrorism and the investigation of road accidents.
You must disclose information if it is required by law. You should:
- satisfy yourself that personal information is needed, and the disclosure is required by law
- only disclose information relevant to the request, and only in the way required by the law
- tell patients about such disclosures whenever practicable, unless it would undermine the purpose of the disclosure to do so
- abide by patient objections where there is provision to do so.32
You can find advice about disclosures that are permitted but not required by law in paragraph 19.
The courts, both civil and criminal, have powers to order disclosure of information in various circumstances. You must disclose information if ordered to do so by a judge or presiding officer of a court.
You should only disclose information that is required by the court. You should object to the judge or the presiding officer if attempts are made to compel you to disclose what appears to you to be irrelevant information, such as information about a patient’s relative who is not involved in the proceedings. You should also tell the judge or the presiding officer if you think disclosing the information might put someone at risk of harm.
If disclosure is ordered, and you do not understand the basis for this, you should ask the court or a legal adviser to explain it to you. You should also tell the patient whose information the court has asked for what information you will disclose in response to the order, unless that is not practicable or would undermine the purpose for which disclosure is sought.
You must not disclose personal information to a third party such as a solicitor, police officer or officer of a court without the patient’s explicit consent, unless it is required by law, or ordered by a court, or can be justified in the public interest. You may disclose information without consent to your own legal adviser to get their advice.
In Scotland, the system of precognition means there can be limited disclosure of information in advance of a criminal trial, to both the Crown and defence, without the patient’s explicit consent. You should cooperate with precognition, but the disclosure must be confined solely to the nature of injuries, the patient’s mental state, or pre-existing conditions or health, documented by the examining doctor, and their likely causes. If they want further information, either side may apply to the court to take a precognition on oath. If that happens, you will be given advance warning and you should seek legal advice about what you may disclose.33
Disclosures in the public interest
Disclosing personal information about a patient without consent may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm. This could arise, for example, if a patient may pose a serious risk to others through being unfit for work or if conditions at work are unsafe.9 If you think that a disclosure may be justified in the public interest, you should follow the guidance at paragraphs 63–70 of Confidentiality.
Confidential medical care is recognised in law as being in the public interest. The fact that people are encouraged to seek advice and treatment benefits society as a whole as well as the individual. But there can be a public interest in disclosing information to protect individuals or society from risks of serious harm, such as from serious communicable diseases or serious crime.23
If it is not practicable or appropriate to seek consent, and in exceptional cases where a patient has refused consent, disclosing personal information may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm. The benefits to an individual or to society of the disclosure must outweigh both the patient’s and the public interest in keeping the information confidential.
Such a situation might arise, for example, if a disclosure would be likely to be necessary for the prevention, detection or prosecution of serious crime, especially crimes against the person. When victims of violence refuse police assistance, disclosure may still be justified if others remain at risk, for example from someone who is prepared to use weapons, or from domestic violence when children or others may be at risk.
Other examples of situations in which failure to disclose information may expose others to a risk of death or serious harm include when a patient is not fit to drive,24 or has been diagnosed with a serious communicable disease,25 or poses a serious risk to others through being unfit for work.26
When deciding whether the public interest in disclosing information outweighs the patient’s and the public interest in keeping the information confidential, you must consider:
- the potential harm or distress to the patient arising from the disclosure – for example, in terms of their future engagement with treatment and their overall health
- the potential harm to trust in doctors generally – for example, if it is widely perceived that doctors will readily disclose information about patients without consent
- the potential harm to others (whether to a specific person or people, or to the public more broadly) if the information is not disclosed
- the potential benefits to an individual or to society arising from the release of the information
- the nature of the information to be disclosed, and any views expressed by the patient
- whether the harms can be avoided or benefits gained without breaching the patient’s privacy or, if not, what is the minimum intrusion.
If you consider that failure to disclose the information would leave individuals or society exposed to a risk so serious that it outweighs the patient’s and the public interest in maintaining confidentiality, you should disclose relevant information promptly to an appropriate person or authority.
Decisions about whether or not disclosure without consent can be justified in the public interest can be complex. Where practicable, you should seek advice from a Caldicott or data guardian or similar expert adviser who is not directly connected with the use for which disclosure is being considered. If possible, you should do this without revealing the identity of the patient.
You must document in the patient’s record your reasons for disclosing information with or without consent. You must also document any steps you have taken to seek the patient’s consent, to inform them about the disclosure, or your reasons for not doing so.
The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 and the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (Northern Ireland) 1997 place duties on employers, the self-employed and people in control of work premises to report certain serious workplace accidents, occupational diseases and specified dangerous occurrences (near misses). You can find out more about these regulations on the website of the Health and Safety Executive (HSE) for England, Wales and Scotland and the website of the Health and Safety Executive for Northern Ireland (HSENI).